CISSP in 2026: Requirements, Exam, Cost & Is It Worth It?
Updated: June 2026 · Read time: 11 min · Level: Senior
CISSP is the gold-standard senior security certification — and one people often chase too early. It's respected, well-paid, and frequently required for management and government roles, but it has a five-year experience requirement and assumes a broad working background. This guide covers what CISSP really is, the experience rules (and the workaround), the exam, the cost, and who should actually pursue it.
CISSP at a glance
| Full name | Certified Information Systems Security Professional |
| Provider | ISC2 |
| Level | Senior / management |
| Exam format | Computerized Adaptive Testing (CAT): 100–150 questions |
| Time | 3 hours |
| Passing score | 700 / 1000 |
| Cost | ~$749 exam + $135/year maintenance |
| Experience | 5 years in 2+ of the 8 domains (1 year waivable) |
| No experience? | Pass exam → Associate of ISC2 → 6 years to earn it |
| Domains | 8 (the Common Body of Knowledge) |
| Maintenance | 120 CPE credits per 3-year cycle + annual fee |
⚠️ ISC2 updates exam rules and fees. Confirm everything on the official ISC2 CISSP page before you commit.
Is CISSP worth it? The honest take
For the right person, CISSP has excellent ROI. For the wrong person, it's a waste of money and months of study.
It's worth it if you're:
- Mid-career or senior in security, aiming at management, architect, or lead roles.
- Targeting jobs or government/DoD roles that list CISSP by name (many do — it's a DoD 8140 approved cert).
- Able to meet (or close to) the five-year experience requirement.
It's not worth it (yet) if you're:
- A beginner — you can't be fully certified without the experience, and the material assumes a working background.
- Focused on hands-on technical work — CISSP is broad and managerial, not a hands-on hacking cert.
- On a tight budget without a security job yet — your money goes further on Security+ plus experience.
We go deeper on the math in Is CISSP worth it? and pay in the CISSP salary guide.
The experience requirement (the part people miss)
This is what makes CISSP different from Security+ or CEH: you can't just pass an exam and be certified.
- You need five years of cumulative, paid, full-time experience in two or more of the eight domains.
- One year can be waived with a relevant four-year college degree or an approved certification (Security+ counts), bringing it to four years.
No experience yet? The Associate of ISC2 path
If you don't have the experience, you can still take and pass the exam, then become an Associate of ISC2. You then have up to six years to earn the required five years of experience, after which you become a full CISSP. This is a legitimate, common route — pass the hard exam while the material is fresh, then let your career catch up.
Endorsement
After you pass, an active ISC2-certified professional must endorse you (vouch for your experience) within nine months. ISC2 can also audit your claimed experience.
The exam: CAT format and the 8 domains
The English CISSP exam uses Computerized Adaptive Testing (CAT):
- 100–150 questions in 3 hours. The test adapts: answer well and it gives harder questions and may end early; struggle and it keeps probing.
- Passing score: 700 / 1000.
- Question types are mostly multiple-choice plus some advanced formats (drag-and-drop, scenario items).
- It's a mile wide: the exam tests management-level understanding across all eight domains, not deep technical execution. "Think like a manager" is the classic advice.
The 8 domains (Common Body of Knowledge)
- Security and Risk Management (the largest domain)
- Asset Security
- Security Architecture and Engineering
- Communication and Network Security
- Identity and Access Management (IAM)
- Security Assessment and Testing
- Security Operations
- Software Development Security
📋 ISC2 publishes the official exam outline with exact domain weightings (the CBK was refreshed in April 2024 and is current in 2026). Use it as your master checklist and confirm the current version before studying.
Cost & ongoing upkeep
CISSP is not a one-time purchase:
| Item | Approx. (USD) |
|---|---|
| Exam fee | ~$749 |
| Annual Maintenance Fee (full CISSP) | $135/year |
| AMF (Associate of ISC2) | $50/year |
| Retake | same as exam fee |
| Training (optional) | hundreds to a few thousand |
To keep the cert, you must earn 120 CPE (Continuing Professional Education) credits over each 3-year cycle (40/year), plus pay the annual fee. Budget for the upkeep, not just the exam.
How long to study?
CISSP is broad, and most candidates study 3–5 months even with experience. The challenge isn't deep technical difficulty — it's the sheer breadth across eight domains and the "think like a manager" mindset the questions reward. Experienced practitioners who've touched several domains have a real advantage; the exam is much harder to cram from scratch.
CISSP vs Security+ vs CEH
| Security+ | CEH | CISSP | |
|---|---|---|---|
| Level | Entry | Intermediate | Senior / management |
| Provider | CompTIA | EC-Council | ISC2 |
| Prerequisite | None | Training or 2 yrs | 5 years experience |
| Focus | Broad defensive basics | Offensive techniques | Broad security management |
| Cost | ~$425 | ~$950–$1,199 | ~$749 + upkeep |
| Best for | Breaking in | Recognition / gov roles | Senior / leadership roles |
The progression: Security+ to break in → experience (and maybe CEH along the way) → CISSP once you have the years behind you. They're steps on a ladder, not competing choices. (Head-to-head: Security+ vs CISSP.)
FAQ
Is CISSP worth it in 2026? For mid-career and senior professionals targeting management or government roles, yes — it's respected, often required, and tied to high salaries. Not worth it as a first cert, since full certification needs five years of experience.
What are the CISSP experience requirements? Five years of paid, full-time work in 2+ of the eight domains; one year waivable with a degree or an approved cert like Security+. Experience can also be earned after passing via the Associate path.
Can I take CISSP with no experience? Yes — pass the exam, become an Associate of ISC2, and you have up to six years to earn the five years of experience to become a full CISSP.
What is the CISSP exam format and passing score? Adaptive (CAT): 100–150 questions in 3 hours, passing score 700/1000, across eight domains. An ISC2-certified professional must endorse you afterward.
How much does CISSP cost? About $749 for the exam, plus a $135/year maintenance fee and 120 CPE credits per 3-year cycle. With training, often $1,000–$2,000 all-in.
CISSP vs Security+ — which first? Security+ first to break in; CISSP later once you have the experience. They're a progression, not an either/or.
→ CISSP cluster: Is CISSP worth it? · CISSP salary
→ Related: Security+ guide · CEH guide
Figures are from ISC2 and public sources (2026) and can change. Confirm current requirements, cost, and exam details on the official ISC2 site before you commit.